Relaunch of Risk Management
During the previous year we appointed a risk management subject matter expert, the Director of Risk and Assurance. Following this appointment, the Board commissioned an evaluation of our existing risk management framework. The review led to the implementation of a range of enhancements to build on the established platform.
The Group has continued to develop and implement a Risk Management Policy, against which we are monitoring enterprise-wide risk management. This policy sets out protocols covering roles and responsibilities for the risk framework and the definition of risk appetite as set by the Board (see the Risk Management Framework diagram below). A web-based tool, the Integrated Risk Management System (IRMS), has been deployed to record risk registers and to track risk mitigation action plans, helping embed ownership of risks and treatment actions while also providing access to live management information.
Risks are evaluated at a number of levels of the organisation, commencing with those which link to the Group achieving its strategic objectives. These risks are presented overleaf under our principal risks and uncertainties.
Risks are identified primarily by the management team through the use of a structured risk framework. Non-Executive reviews are carried out by two Board Committees: the Cyber Security Committee for IT centric risks and the Audit Committee for all other risk types. The Chief Information Security Office (CISO) reports to the Cyber Committee and the Director of Risk and Assurance reports to the Audit Committee.
While distinct from the established CISO role, the Director of Risk and Assurance works closely with the CISO to facilitate risk oversight across the full range of risk types.
RISK MANAGEMENT FRAMEWORK
As described below, risks are considered at various levels across the Group, commencing with a strategic view of risk.
RISK heat map
Business Strategy Management of Strategic Change Availability of criticalinformation systems Attracting and retaining appropriate colleague capacity and capability Cyber risk (including GDPR) Quality of Management Information Systems (MIS) and internal business processes Quality and Security Management Systems Brexit
Risk management processes and controls
The Board monitors the ongoing process by which relevant material risks are identified, evaluated and managed via the two subcommittees noted in Principal risks and uncertainties. On a quarterly basis, the subcommittees review the detailed risk registers that have been prepared and updated across the business along with the status of action plans that are in place to treat risks, which are considered to be excessive.
Evaluation and treatment of risk
Risks are evaluated using a simple but robust model, which forms part of the Risk Management Policy. The model, which is capable of application across multiple risk types, is sufficiently sensitive to record risks that have the potential to impact Viability Reporting obligations.
Risks are evaluated without considering the operation of any existing controls. This is done to form a view of inherent risk.
The impact of existing mitigating controls are then considered along with their effectiveness to determine the extent of residual risk. The assessments are made using a combination of impact and likelihood criteria to arrive at a total risk score. Residual risk is then considered against the Group Risk Appetite, which is a judgmental scoring matrix created by the Board to identify risks as being within or outside acceptable parameters for the Group.
Output from the evaluation of strategic risks has been used to help shape the Group's Transformation Programme. Where risks are assessed as being outside of appetite, treatment actions are agreed including owners, priorities and due dates, either within the Transformation governance structures or milestone plans owned by senior business leaders. The IRMS is used to track these actions, with data mining capabilities to produce reports to the Cyber Security and Audit Committees.
The Group uses a simple Risk Heat Map (above) to record an up-to-date view of residual risk. Viability risks are principal risks that the Directors consider are so extreme that they could jeopardise the business viability if they crystallise.
Principal risks and uncertainties
The Group continues to operate in a particularly dynamic and evolving marketplace. The very latest strategic risk register has been developed to reflect those factors.
The Directors have carried out a robust assessment of the principal risks facing the Group including those that would threaten its business model, future performance, solvency or liquidity. Detailed descriptions of the current principal risks and uncertainties faced by the Group, their potential impact and mitigating processes and controls are set out below. The tables also highlight whether the risk is assessed as increasing or decreasing with a similar assessment for the position last year. This includes identifying new principal risks and uncertainties.
|Risk Areas||Potential Impact||Mitigation|
| Business Strategy |
|A comprehensive business strategy is essential to the continued success of the Group as we strive to maximise shareholder value.||A poor strategy or ineffective execution of a strategy could have a material negative impact on the Group's financial performance and value. It would potentially weaken the Group compared to its competitors and risk the Group's established position in the marketplace.||Members of the Board have significant experience in evolving business strategies. The Board is significantly engaged in both setting and reviewing strategy and held a dedicated strategy session in March 2019.|
| Management of Strategic Change|
|As the Group adapts and executes its strategy there are a number of complex projects and initiatives that not only need to be delivered but also require understanding and support from all colleagues.||Poor change management could lead to ineffective implementation of projects that then cost more to deliver, take longer to deliver and result in fewer benefits being realised (or all three). Poor delivery of change could ultimately impair business performance.||The Group has established a Strategic Change Management capability and this includes access to Programme Management professionals and the deployment of associated change management processes, for example the operation of senior change oversight committees.|
| Availability of critical information systems |
|The Group is heavily reliant on continued and uninterrupted access to its IT systems. As well as environmental and physical threats, the Group is a natural target for individuals who may seek to disrupt the Group's commercial activities.||If the Group's critical systems failed, this could affect the Group's ability to provide services to our customers.||The Group continues to make significant investment in its IT infrastructure to ensure it continues to support the growth of the organisation.|
The Group has controls in place in order to reduce the risk of actual loss of critical systems. Further, controls are operated to ensure the availability of backup media in the event of prolonged loss of systems.
Initiating to standardise and simplify while increasing resilience, continues to be implemented. Additional focus is being periodically given to proving the recoverability of systems and data.
| Attracting and retaining appropriate colleagues capacity and capability |
|The Group would be adversely impacted if it were unable to attract and retain the right calibre of skilled colleagues.|
Some roles within the Group operate in highly technical and extremely specialised areas in which there are shortages of skilled people.
|Loss of key colleagues or significant colleagues turnover could result in a lack of necessary expertise or continuity to execute the Group's strategy.|
An inability to attract and retain sufficient high-calibre colleagues could become a barrier to the continued success and growth of NCC Group.
|Colleagues are offered a rewarding career structure and attractive salary and benefits packages, which can include participation in share schemes.|
Linked to the development of our people, the Group continues to review our values, personal performance management processes and aligned development programmes.
| Cyber risk (including GDPR) |
|As a provider of security services, the Group is a high profile target and could therefore be subject to attacks specifically designed to disrupt the Group's business and harm the Group's reputation.|
There could also be implications relating to our GDPR control obligations. Such events could adversely affect the market's perception of the Group as well as causing business disruption.
|Failure to maintain control over customer, colleague, commercial and/or operational data could lead to a range of impacts, including reputational damage. The misuse of personal data, for example without the customer's consent, or retaining for longer than is necessary, may also result in reputational harm, regulatory investigations and potential fines.||The Board operates a Cyber Security Committee chaired by the Chairman of the Board. The CISO reports to each meeting, in line with the Group Risk Management Policy.|
Security testing is regularly carried out on the Group's infrastructure and there are extensive response plans, which were reviewed during the year, in the event of a major security incident.
Comprehensive plans are in place and being delivered associated with discharging our GDPR obligations. Progress is monitored by the Cyber Security Committee.
Colleagues also receive regular security training and updates.
| Quality of Management Information Systems (MIS) and internal business processes|
|We need to ensure that trusted and relevant MIS are available on a day-to-day basis to inform management decisions and drive performance.||Suboptimal business decision-making and performance as key financial performance data is not available or trusted.||The Group finance function has developed a forward-facing Finance Functional Strategy. Enhancements were identified covering system and process standardisation. A comprehensive milestone plan is in place and progress is tracked and reported to each Audit Committee.|
Standardised business process control standards were recently issued across all parts of the Group. As the new financial year progresses, control self-assessment techniques will be implemented along with an aligned programme of Internal Audits.
| Quality and Security Management Systems|
|We aspire to attain and retain key internationally recognised standards, which form an important component for many of our customers.||The risk of the Group failing to retain a core standard, e.g. 9001, 27001 or PCI, with a consequential loss of key customer accounts or ability to operate.||We operate a comprehensive programme to ensure the retention of our core standards. This includes a portfolio of aligned policies and cascading business processes. A programme of internal audit provides assurance over the design and application of these policies and procedures. External assessors provide a further layer of review and challenge, confirming during the year the retention of our Quality and Security standards.|
| Brexit |
|Failure to prepare for the UK's departure from the EU may cause disruption to, and create uncertainty around, our business. Any disruption or uncertainty could have an adverse effect on our business, financial results and operations.||Uncertainty around the UK's departure from the EU continues as a result of the political deadlock. The risks associated with Brexit are the possibility of a 'no-deal' scenario and also the potential for an abrupt departure from the EU.||Similar to any UK company, we list Brexit as a significant risk due to the uncertainty surrounding the final form Brexit will actually take and when it will happen.|
We continue to plan for Brexit internally and the Brexit Steering Group meets regularly.
As our operations around the world include business entities based in continental Europe we believe NCC Group is structurally resilient to any disruption caused by Brexit. The main risks to our business from Brexit are:
- Any reduction in demand from an economic slowdown; and
- Real or perceived differences in data protection standards, which impact our global ways of working.
High impact Medium impact Low impact
Furthermore, as the Group's international footprint expands, there is an inherent risk of adverse foreign exchange movements affecting profitability. At present this risk is limited due to the relatively low level of inter-territorial trading but it will increase in future. Inability to refinance the Group's core banking facilities could call into doubt the Group's longer term viability. We have recently achieved a new five-year refinancing facility, which is more flexible and suited to our future needs. Equally, if those facilities lacked the appropriate flexibility and structure, this could inhibit delivery of the Group's strategy. The Group's current banking facilities cover all of the expected needs of the Group for the period of such facilities and are sufficiently flexible to allow the Group to function effectively. The Group has a Tax and Treasury Manager. Part of their role is to support the CFO in developing a Treasury strategy and overseeing its implementation.
Impact of Brexit on the Group
There is continuing uncertainty around the likely impact of Brexit on businesses. This uncertainty is likely to continue until at least 31 October 2019, which is the current deadline for the UK's departure from the EU.
We continue to plan for Brexit and we have a Brexit Steering Group that meets regularly. As our operations around the world include business entities based in continental Europe we believe NCC Group is structurally resilient to any disruption caused by Brexit. The main risks to our business from Brexit are:
- Any reduction in demand from an economic slowdown; and
- Real or perceived differences in data protection standards, which impact our global ways of working.
The context for assessment
In accordance with the requirements of the UK Corporate Governance Code 2016, the aim of the viability statement is for the Directors to report on the assessment of the prospects of the Group meeting its liabilities over the assessment period, taking into account the current financial position, outlook, principal risks and uncertainties, key judgments and estimates in preparing the Financial Statements.
The Directors have based their assessment of viability on the Group's current business model and strategic plan, which is updated and approved annually by the Board, in line with our objective to deliver sustainable and profitable growth, increasing shareholder value and offering an improved service and product offering to our customers. This is underpinned by the strategic priorities outlined in Our Strategy. The effective management of principal risks and uncertainties which outlines the assessment emphasis on those risks that could theoretically threaten the Group's ability to operate or to continue in existence (with the VR designation).
The assessment period
The Directors have assessed the viability of the Group over the three-year period to May 2022, as this is an appropriate planning time horizon given the speed of change and customer demand in the industry and is in line with the Group's strategic planning period.
Assessment of viability
The viability of the Group has been assessed taking into account the Group's current financial position, including the recently renegotiated external funding committed for the period of assessment, and after modelling the impact of certain scenarios arising from the principal risks, which have the greatest potential impact on viability in the period under review. In particular, the Board has considered the Group's ability to execute its strategy, the impact of a critical system failure, a successful cyber attack and the long-term impact on the Group's reputation and how the Group would respond to a no-deal Brexit.
The specific scenarios are hypothetical and necessarily severe for the purpose of creating outcomes that have the ability to threaten the viability of the Group. Should any of these scenarios occur, various options are available to the Group to maintain liquidity so as to continue in operation such as: accessing new external funding, more radical short-term cost reduction actions, and/or reductions in capital expenditure. None of these actions have been factored into our scenario modelling.
|Scenario||Associated principal risks and uncertainties||Description and potential impact|
|Business Strategy||Business Strategy|
Attracting and retaining appropriate colleagues capacity and capability
|Failure to deliver the SGT transformation programme|
Loss of key employees or inability to attract and retain key talent
The potential impact of the above would act as a barrier to future growth
|Systems failure||Availability of critical information systems|
Cyber risk (including GDPR)
|A critical systems failure, leading to an inability to provide services to customers|
The potential impact of this would be short-term reputational damage and an inability to do business in the short term, impacting revenue and profits
|Cyber security breach||Cyber risk (including GDPR)||A cyber security breach occurs with theft of data and disruption to business services|
The potential impact of this would be long-term reputational damage significantly impacting future revenue
|No-deal Brexit scenario||Brexit||All EU customers that are based in continental Europe no longer do business with the UK|
We are unable to transfer contracts/relationship to another EU subsidiary
The potential impact of this would not be severe as there are a limited number of services provided by the UK to other EU countries
Based on these severe but possible scenarios, the Directors have a reasonable expectation that the Group and Company will be able to continue in operation and meet its liabilities as they fall due over this forthcoming three-year period.